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Abstract. We introduce a novel technique for checking reachabihty in Petri nets that 
rehes on a recently introduced compositional algebra of nets. We prove that the technique is 
correct, and discuss our implementation. We report promising experimental results on some 
well-known examples. 



Introduction 

We introduce a novel technique for checking reachability in 1-bounded Petri nets. Our approach 
relies on a structural decomposition of nets, using the algebra of nets with boundaries developed 
in [l][2j[T8] and the algebra of labelled transition systems (LTS) originally developed in p!o]. After 
explaining the intuitions and some motivating examples, we prove the technique correct, discuss 
our implementation and report on experimental results. 

Many asynchronous systems are regular in their structure, in the sense that they can be 
considered as a suitable composition of several identical, communicating components. In many such 
systems, the communication between individual components can be characterised using relatively 
small (w.r.t. the size of the global state space) amounts of information, and as a consequence, the 
reachability of a particular global state can be checked locally. The algebra of nets with boundaries 
allows us to capture precisely how separate "component nets" communicate with each other. 




B4 No Ni 

Fig. 1: The net B4 and a "cut" along its transition ^2- 



To illustrate the ideas that underlie our approach we introduce the simple, well-knowr|^bounded 
buffer net, B^^ illustrated in the left part of Fig.[l] We wish to check whether the "opposite" mark- 
ing is reachable — that is, the places in the lower row are to be marked and the places in the upper 
row are to be unmarked. Taking a global view, a simple calculation confirms that the length of 



the firing sequence necessary to reach the desired marking is quadratic in n (see Fig. 8a). We will, 
instead, check for reachability locally, component-wise, so imagine that the net is "split" into two 
nets A^o sharing the transition ^2, as in the right part of Fig. [l] 

Remark 1. Observe (1) that Nq and Ni can proceed independently to reach the desired local 
marking, only "synchronising" on ^2 and (2) the "synchronisation policy" is quite simple to de- 
scribe. Indeed, Ai can fire its local copy of ^2 an arbitrary number (including 0) of times during a 
successful computation; Aq can reach its desired marking after firing its copy of ^2 at least twice, 
after which ^2 can be fired an arbitrary additional number of times. These two "policies" are 
clearly compatible, meaning that the entire net can reach its global desired marking. 



For example, see 7, Fig. 6]. 



To make the above intuitions precise, we recall the algebra of nets introduced in 18 . We will use 



a non-standard graphical representation of nets, more suited for illustrating the operations of the 
algebra: ^4 is rendered with the alternative graphical notation in the left-most diagram of Fig. [2] 
Transitions are represented using undirected links and each link can be connected to an arbitrary 
number of ports. Each place has two ports: one for incoming transitions, illustrated with a triangle 
pointing into the place, and one for outgoing transitions, illustrated with a triangle pointing out 
of the place. Thus the pre-set of a transition is the set of places to which it is connected via their 
outgoing port, and its post-set is the set of places to which it is connected via their incoming port. 
Transitions can also be connected to boundary ports, which serve as an interface between nets with 
boundaries. The net B4 can be expressed as the composition T ; bi ; bi ; bi ; bi ; ±; the individual 
components T, bi and ± are illustrated in Fig. [2] The operation that composes two nets along 
a compatible, common boundary is defined formally in §1.1[ 



Fig. 2: Obtaining B4 as a composition of nets T, bi and ±. 



Each component net with boundaries, together with its initial marking and desired local mark- 
ing, can be translated to a non-deterministic finite automaton (NFA), with states being the reach- 
able markings, and transitions the boundary interactions observed when net transitions fire. The 
initial state is the initial marking and the final state is the desired marking. We illustrat^ this 
translation in Fig.[3j For example, in the translation of 61, state corresponds to the initial marking 
and state 1 to the desired complementary marking. The labels of transitions are, in general, pairs 
of binary strings a and /3, written representing interaction on the left (a) and the right 
boundaries. The concept of "interaction on a boundary" is important and we will explain it further 
below. To guarantee compositionality, we must use an underlying step firing semantics of nets, i.e. 
a transition in the NFA witnesses the firing of a (possibly empty) set of independent transitions 
within the component net. Returning to the translation of bi: the 0/0 labelled NFA-transitions in 
state and 1 witness the possibility of no behaviour (i.e. the empty set of net-transitions firing) 
with the 0/0 label signifying that no net-transitions connected to either boundary were fired. The 
NFA-transition O-^^l witnesses that the right hand side net-transition has fired and produced the 
desired marking. The fact that the fired transition is connected to the port on the right boundary 
is recorded by 1 in the transition label. The remaining NFA-transition is symmetric. 




^ All illustrations of automata were generated with GraphViz ( http : / / www . graphviz . org| . For space- 
efficiency, transitions are annotated with sets: {x, y}, representing the existence of two transitions, 
labelled respectively x and y. We use * in the labels as shorthand for any choice of and 1. 



The principle of compositionality, proved in Theorem |4| is ihustrated in Fig. [4j given two bi 
nets, we can obtain the NFA representing their (composite) behaviour in two ways: 1) compose 
two bi nets to form the net 61 ; 61, and then generate its NFA, or equivalently, 2) generate the 
two (identical) NFAs for each bi and compose them, using a variant]^ of the product construction. 
Compositionality ensures that the diagram commutes, in other words, the global behaviour of the 
composition of the two nets is completely determined by the behaviour of the individual nets, 
when synchronised along their common boundary. 



{0/0} 




bi bi 



Fig. 4: Compositionality at work. 

The NFA generated for 6^ = ^1 5 • • • ; ^1 (^1 composed n times) has 2^ states, thus directly 
computing the automaton for bn is feasible only for small n. Fortunately, to generate a correct 
NFA of the composite net, it is sufficient to capture how each component net must interact on its 
boundaries in order to reach its local desired marking — its "synchronisation policy". To do this, 
we close the NFA with respect to internal (e-) moves — those transitions labelled solely with Os, 
signifying no interaction at the boundaries — to obtain an automaton with the same states, but 
with transitions being paths a(-^^)*-^^^(-^^)*6. We then minimise the new NFA, obtaining a 
deterministic automaton (DFA), with an "error" state that is reached whenever an illegal (i.e. 
not in the behaviour of the underlying net) interaction is observed on the boundaries. This DFA 
minimally represents the entire behaviour (assuming that an observer may only observe traces) of 
the net, w.r.t. interactions on its boundaries. 

Note that the states of the NFA obtained from a net are 1-1 with the reachable markings of 
the underlying net; in general, this is not the case after e-closure and minimisation: the states 
of the minimal DFA merely capture the "protocol" the net must follow when interacting with 
its environment, in order to arrive at the desired marking. Indeed, for 6^, the resulting minimal 
DFA has n + 2 states. Of course, computing the minimisation of an NFA can be very expensive — 
in the worse case, triple exponential in the number of places of the original net — our strategy 
is thus roughly to decompose nets as far as possible (thereby only minimising small NFAs) and 
take advantage of any regular, repetitive structure in the net, via memoisation. As discussed, 
compositionality guarantees correctness — the fact that the square in Fig.jsj illustrating the process 
for ^4, commutes is a consequence of Theorems [7| and [9j 

def 

The applicability of our approach depends on finding "good" decompositions of nets. For Bn = 
T ; 6n ; ^, there are many potential decompositions: the optimaQis the 1st decomposition in Fig.[6) 
which corresponds to the algebra term (T ; (61 ;(...; (61 ; ±) ... ). Indeed, the composition of bi 
and ± minimises to the trivial accepting automaton; Fig. [7| contains illustrative translation steps 
of the different decompositions of B4. In (i) the composition of the automaton for bi is composed 
with the automaton for ±: after minimisation we again obtain the automaton for _L. Thus the 

3 (a, b)^{a\ b') iff 37. a^a' A blll^b' . 

^ All experiments were run on an Intel i7-2600 3.40GHz CPU, 16GB of RAM, running 64-bit Ubuntu 
Linux. 




Fig. 5: Minimising ^4, compositionally. 



procedure reaches a fixed point after the first step, as illustrated in (ii). This fact formally captures 
the intuition about A^i given in Remark [l] For this decomposition, memoisation guarantees that 
the composition and minimisation is performed only once. In particular, this means that checking 
reachability for 5^, given this decomposition, is linear in n. However, other decompositions do 
not lead to such good performance. In particular, consider the 2nd decomposition of Fig. [6] here, 
memoisation does not help (we obtain a different NFA composition after each step) and we must 
perform minimisation after each composition, as illustrated in steps (in) and (iv) of Fig. [gJ 




Fig. 6: Three decompositions of Bn, to which we refer as, respectively, right, left and balanced. 



Our automated approach to deconstructing Bn (discussed in ^2.1) produces the 3rd (balanced) 
decomposition of Fig. [6] In this particular case we decompose by identifying a transition that 
connects two components of similar size. This decomposition, while not optimal, allows frequent use 
of memoisation, reducing the amount of computation. A table of running times for the construction 
of a minimal DFA for B^, following the three decompositions of Fig. |6j is given in Fig. 8a 



We have illustrated how the operation allows decomposition of the net B^ in order to exhibit 
its the regular structure. We will briefly consider a second example that illustrates the use of the 
second operation of the algebra, '0'. Consider the net in Fig.[9j where we want to check whether all 
the places can be marked; N.B this net is not 1-safe, but 1-boundedness means that a transition 
is blocked if there is a token present in its post-set. Our automated procedure constructs the 
decomposition illustrated in the right part of Fig. [9j In Fig. [l3]we illustrate the steps involved in 



calculating the minimal DFA for T3, and give a table of experimental results in Fig. 8b 



Structure of the paper. In ^we study the foundations of our technique and prove it correct. In ^ 
we discuss our implementation and give additional experimental results. Connections with related 
work are in ^ and we conclude with directions for future research in Q Due to space constraints, 
proofs and non-essential figures have been moved to the appendix. 




Fig. 7: Translation of the decompositions in Fig. [6j initial steps using the right decom- 

position; (iii), (iv) initial steps using the left decomposition; (v) final step using the balanced 
decomposition of B4. 
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(a) Time to construct minimal DFA for Bn with 
the three decompositions illustrated in Fig. [61 
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(b) Time to construct minimal DFA for Tn, us- 
ing the decomposition described in Fig. |9] 



Fig. 8: NFA construction times for and 




Fig. 9: The net T3, in traditional and alternative graphical notation, and its decomposition. 



1 Nets with boundaries 



In this section we give the theoretical underpinnings of our technique, harnessing the composi- 
tionality of the algebra of nets with boundaries in order to prove its correctness. 

Notational conventions. For n G N let n = {0,l,...,n — 1}. We write 2^ for the powerset of X. 
We write X + F for the set {(x, 0) \ x e X} U {{y, I) \ y e Y}. Given C 2^ and V C 2^ we 
write U^V = {U^V\UeU,VeV}C 2^+^. We identify binary strings a = aoai . . . ak-i of 
length k with subsets of k in the obvious way: = 1 iff z G a. 

Definition 2. A net with boundaries N : k ^ I is (P, T, /c, ° — , — °, * — , — *) where: 

- P is the set of places, T is the set of transitions 

- k^l are, respectively, the left and the right boundaries 

- ° — ,— ° : T ^ 2^ give, respectively, the pre- and post-sets of each transition 

- •— : T ^ 2- and — * : T ^ 2- connect each transition to, resp., the left and the right boundary. 

Additionally, we assum^ that for any t ^ f e T , *t D *f = and D t'* = 0. Ordinary Petri 
nets can be considered as nets N : ^ with no boundaries. 

We must use step semantics of nets instead of the more common interleaving semantics to 

guarantee compositionality; we will illustrate this in Remark [s] Let =^ °t U Transitions 
t ^ t^ e T are said to be independent when D = 0. A set U C T is said to be mutually 
independent (MI) when for all u' ^U^u and u' are independent. For sets of transitions U CT 
we will abuse notation and write °/7 = UnGf/ similarly for U° ^ *U and U* . 

Each net with boundaries N : k ^ I determines an LTS whose transitions witness the step 
semantics of the underlying net, originally described by Katis et al 9 . For the 1-bounded case, 
the labels are pairs of binary strings of length k and /, respectively. The states are markings of A^, 
denoted by [A^]^^ where X C P. The transition relation is defined: 

W]x^W]x' ^ 3 MI /7 C T, °[/ C X, [/° n X = 0, X' = {X\°U) U /7°, = a, = /3 



1.1 Composition of nets with boundaries 

Suppose that N : k ^ I and M : I ^ m are nets with boundaries. A synchronisation is a pair ([/, V) 
where U C T/v and V C Tm are MI sets of transitions, with U* = *V. Given synchronisations 
{U,V) and (/7^V0, we say {U,V) C {U\V') exactly when C and 1/ C V\ The trivial 
synchronisation is (0,0). A synchronisation (U^V) is said to by minimal when it is non trivial 
and, for all synchronisations {U\ V^), if V^) C ([/, V) then {U\ V^) is trivial. The set of minimal 
synchronisations of N and M is denoted syncmini^^ ^)- The composed net N ] M : k ^ m has: 

- Pn + Pm as its set of places, 

- synCmin{M, N) as its set of transitions. Given (/7, V) G synCmin{M, N) we let °(/7, F) =^ 
°/7 y °V, (/7, Vy =^ U° y V°, •([/, V) =^ •[/ and (/7, F)* =^ V. 

Examples of compositions of the net Bn : ^ are given in Figs. [2] and [6j Another example is given 



in Fig. 10, with the resulting transition arising from the minimal synchronisation ({^1,^2}, {^3})- 



Remark 3. The example in Fig. 10 illustrates the necessity for step semantics in order for composi- 
tionality to hold. Indeed, in the composition Xq; Xi we have the transition [Xq; Xi]|q|Z^[Xo; ^i]{i} 
that witnesses the firing of its transition. This transition decomposes into [Xo]|Q|/il>[Xo]|2} and 

[Xi]^il4[Xi]^. The first of these requires the simultaneous firing of ti and ^2 in Xq; thus if we 
had considered interleaving semantics then compositionality would fail in this example. 



^ That is, at most one transition can be connected to any place on the boundary. This assumption allows 
us to simplify the definition of composition of nets; for the more general case see 2 . 




Fig. 10: Illustration of composition of two nets. 



The next result is a special case of [2j Theorem 3.6], where a more general algebra of nets is 
considered. We will rely on this to prove the correctness of our technique in Theorems [7| and |9] 

Theorem 4 (Compositionality). Suppose that N : k ^ I and M : I ^ m are nets with 
boundaries. The following holds for all X, X' C P^, F, C Pm, a G {0, 1}^ and /3 G {0, 1}^.' 

[TV ; M]^^y^[N ; M]^,^^, o ^7 G {0, 1}^ [N]^^[N]^. A [M]^^[M]^, 

□ 

The conclusion of Theorem [4] implies that, for instance, bisimilarity is a congruence w.r.t. to 
For the purposes of reachability checking, traces are sufficient. 

Corollary 5. There exists a trace [N ; M]^y^^lZ^ . . . ^^^l^[N ; M]^,^^, iff there exist traces 
[N]^^l/21^...^I^[N]^^ and[M]y2ll^...2ll%[N]^^. □ 

In particular, to check for reachability in a composed net, it suffices to find computations in the 
components that agree on their shared boundary. 

The other operation on nets with boundaries is (g), which can be understood as a parallel 
composition of nets. Given N : k ^ I and M : m ^ M0N:k-\-m^l-\-n has: 

— P/v + Pm as its set of places, 

- Tn ^Tm as its set of transitions. 0) =^ { (p, 0) \ pe H }, 1) =^ { (p, 1) \ p e H }, and 
similarly for (t,0)° and (t, 1)°. Instead •(t,0) = while '(t, 1) = {k ^ i \ i e *t}; similarly 
(t, 0)' = f and (t,iy = {l^i\ief}. 

Compositionality also holds w.r.t. 0: [M 7V]^^^^2^[M AT]^,^^, iff [M]^^[M]^, and 

[N]y lL^[N]y > . Due to space constraints we omit the details here; they are straightforward as 
there is no interaction between the two nets. 



1.2 From nets with boundaries to NFAs 

By an NFA with boundaries A:k^lwe mean an NFA A with set of labels {0, 1}^ x {0, 1}^, written 

where a G {0, 1}^ and P G {0, 1}^ Given NFA with boundaries A : k ^ I and B : I ^ 
the NFA with boundaries A ; B : k ^ m is obtained by a variant of the product construction 
where (x, y).^l^{x', y') iff there exists 7 G {0, 1}^ such that x ^^^y x' and y^lJl^y' . Given NFA with 
boundaries A : k ^ I and B : m ^ the NFA with boundaries A<^ B : k-\-m^l-\-nis obtained 
via another variant of the product construction: here (x, y) ^^^^^y{x\ y') iff x ^^^yx' and ylll^y' . 
The algebra of automata with boundaries described above is an instance of Span(Graph) [lO]. 

Given a net with boundaries N : k ^ l^ and non-empty sets C 2^ ^ of, respectively, 

initial and final markings, we can consider its labelled transition system as an NFA, written 
NFA(A^, A', 3^), that has initial states A' and final states y. If N : k ^ I does not have any places 
then NFA(A^, {0}, {0}) has exactly one state, which is an accept state (see NFA for T, ± in 
Fig. [3|. The following is immediate. 

Proposition 6. Given N : k ^ I, initial and final markings y , a marking in y is reachable 
from a marking in X iff L{NfA{N, X, y)) 7^ 0. □ 



We also have the fohowing as an immediate consequence of Theorem [4j 

NFA(7V •M:k->m,X\SX',y\sy)^ (NFA(7V :k->l,X, y)) ; (NFA(M : / ^ m, X' , y')) 
and in particular the two automata accept the same language. 

1.3 Weak closure and minimisation 

Hiding internal computations in individual component nets is crucial for the performance of our 
technique. The procedure is akin to the r-reflexive-transitive closure of an LTS L, which yields an 
LTS V on which bisimilarity agrees with weak-bisimilarity on L, in the sense of Milner 13 . 

Let ek^i = 0^/0^ Sometimes we will write simply e when k and / are clear from the context. 
Notice that given any net N : k ^ ioi each marking X there is a transition [N]^ ^^'S[-^]x ^^^^ 
arises from firing the empty set of net-transitions. In general, transitions [N]^1M^[N]^, witness 
the firing of "internal" net- transit ions in A^, ie those that are not connected to any boundary port. 

The weak transition system induced hy N : k ^ I has transitions: 

[N]^ %^ [N]^, ^ 3X",X"'. [N]^{Ihi^r[Nh,„ [N]^„^[N]^„„ [iV]^,„(iM,)*[iV]^, (1) 

Note that the above notion of weak transition differs from that considered in 2| but is close to 
the weak transitions of [17^ . 

Theorem 7 (Compositionality w.r.t. weak semantics). Suppose that N : k ^ I and M : 
I ^ m are nets with boundaries. Then for all X, C P/v, F, C Pm, a G {0, 1}^, /3 G {0, l}"^.* 

(z) zf[N;M]^^y%^[N;M] 

Xf-^Y' ^^^^ G 7, 7i7 7j ^ {O7 foT I < i < p and I < j < q 

[iV]^^ . . . . . . ^[7V]^, and [M]^2^ . . . ^^2^2^^ . . . 2^[M]y.. 

(ii) if [N]x'"J^[N]x, and [M]y^J^[M]y, for some 7 G {0, 1}^ then [N ; M]^^^%^[Ar ; M]^,^^,. 

□ 

Given an NFA with boundaries A : k ^ l^lei em in (A) : k ^ I denote the DFA obtained by 
e/e^^-closure and minimisation. 

Remark 8. Recall that any ordinary net can be considered as a net with boundaries : ^ 0. 
Now em in (NFA (A/", A', 3^)) : ^ is one of two DFAs: the DFA with one accept state (if a marking 
in y is reachable from some marking in X) and the DFA with one non-accept state (if no markings 
in y are reachable from any marking in A*). 

Given an ordinary Petri net A", initial markings X and final markings 3^, a simple but ex- 
tremely inefficient way of checking the reachability of a marking is thus to directly compute 
emin(NFA(A^, A', y)) and check whether the single state in the resulting DFA is an accept state. 
Our technique for checking reachability is based on computing this DFA using a structural de- 
composition of A", which, when combined with memoisation, can result in fast execution times. 

1.4 Correctness 

Here we give a formal account of our technique and prove it correct, using the previous results in 
this section. A wiring expression is a syntactic term formed from the following grammar 

T ::= x\T ]T \ T ®T 

where the leaves x are variables. A variable assignment V is a map that takes variables to nets 
with boundaries. Given a pair (t, V) of a wiring expression t and variable assignment V, its 

semantics |t]v is a net with boundaries, defined recursively in the obvious way: |x]v ^= V(x), 



1^1 ; t2jv = Ihjv ; I^2lv and {ti 0t2]v = I^ilv ^ Ihjv- We implicitly assume that variable 
assignments are compatible with t, in the sense that only nets with a common boundary are 
composed; we leave out the formal details, which are straightforward. Given a net N : k ^ we 
say that (t, V) is a wiring decomposition of N if |t]v — N. 

Given a wiring decomposition {t^ V) of N : k ^ together with maps X, T called, respectively, 
initial markings and final markings^ that take each variable x to a set of markings of the net V(x), 
define trans(t)^y j- recursively: 

trans(x)^y J =^ emin(NFA(V(x), l{x), T{x))), 
trans(t ; tO(v,x,^) =^ emin(trans(t)(^^^^^) ; trans(tO(v,x,^)), 
trans(t =^ emin(trans(t)^y^j^jr) trans(t')^y^j^^^). 

The function trans(— ) is the formalisation of our approach, taking a wiring decomposition, together 
with initial and final markings to a minimal DFA. Sets of markings of the leaf nets given by X and 
can be combined to form a set of markings mrk(t)x of |t]v in an obvious way: mrk(x)x =^ X(^), 
mrk(t ; t')x =^ mrk(t)x W mrk(t')x, mrk(t (g) t)x "== mrk(t)x W mrk(t')x (and similarly for J^.) 

Theorem 9 (Correctness). Suppose (t, V) is a wiring decomposition of N : k ^ I, X initial 
markings and T final markings. Then trans{t) j- -^-^^ = emin(NFA(|t]v, mrk(t)x, mrk(t)jr)). □ 

An example application of Theorem [9] is the commutativity of the diagram in Fig. [5] 

Note that we have not discussed how to obtain a wiring decomposition, starting from a net 
N : k ^ I. As demonstrated in Fig. [8a| different decompositions result in markedly different 
performance. Our automated procedure for obtaining a decomposition is described in §2.1| 



2 Implementation and experimental results 

Our implementation has been written in Haskell, and is available for downloacj^ The high level 
view of our algorithm is: 

1. As input, take an ordinary marked net N (considered as a net with boundaries : ^ 0) 
and a target marking, given place- wise, to be checked for reachability. Concretely, each place 
is labelled with 'Yes,' (token must be present) 'No' (token must be absent) or 'Don't care.' 

2. Using an automatic decomposition procedure (described in we decompose the net, ob- 



taining a wiring decomposition (as introduced in [lA) enhanced with additional information 
to enable memoisation. 

3. Taking advantage of memoisation — to eliminate duplicate computations — traverse the wiring 
decomposition tree to compute trans(— ): 

(a) At leaves, we have (typically, small) nets with boundaries, and the local desired marking. 
We use the procedure described in §1.2| to generate the NFA that corresponds to the net 



and apply e— closure and minimisation, described in §2.2 

(b) At a composition node, we generate the NFAs corresponding to each sub-tree, and com- 
pose them using the variant of product-construction discussed in ^ finally e— closing and 
minimising the resulting NFA. 

(c) At a tensor node, we generate the NFAs corresponding to each sub-tree, combine them 
using the standard product construction on NFAs, and perform minimisation. 



The experimental results given in Figs. [I and [l2b] are given for pre-constructed decompositions 



that is, only step 3 of the algorithm is performed. The results in Fig. |12a| were obtained using the 
implementation of the full algorithm. 
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http : //users . ecs . sotorL.ac.uk/oslv07/ICALP13 



2.1 Decomposer 



Our net decomposition algorithm attempts to find decompositions via two simple approaches: first 
we look for a net-transition that, when removed, results in two disconnected nets. If many such 
transitions exist then we take the one that results in the most balanced (in number of places) 
decomposition. An example is the balanced decomposition in Fig. [6j If such a transition cannot 
be found, we look for a place that, once removed, results in two disconnected nets. This results 
in a node (that results from removing the place) followed by a '(g)' node (that composes the 
two disconnected nets). Again, if many such places exist, we look for one that results in the 
most balanced decomposition. An example of this decomposition strategy is the decomposition in 
Fig. |9] Both searches are quadratic in the size of the net. If neither a suitable transition nor place 
is found, we remove a place that results in the smallest boundary, after decomposition. The time 
taken to decompose the net is given in Fig. |12a[ in this example the time to decompose the net 
dominates. Note that, given a net, a decomposition must be computed (or given as input) only 
once, whence different various initial markings and desired markings can be considered. 



2.2 NFA e— closure and minimisation 

Our approach relies on ignoring internal computations to reduce the state space to be explored. To 
produce minimal DFAs for an input NFA, we apply epsilon closure, and minimisation, as detailed 



in [1.3 We perform epsilon closure through a variant of the subset-construction on NFAs, which 
constructs the NFA of sets of states reachable through e— or standard transitions, starting from 
the e— closure of the initial states of the input NFA. To perform minimisation we employ the 
well-known algorithm of Brzozowski 3 . 

A notable implementation detail is that we use a variant of Reduced Ordered Binary Decision 
Diagrams (ROBDD, commonly written as BDD) to encode the transition relation of the NFA — 
the labels of our transitions are binary strings and thus any state x G X gives rise to a function 
{0, 1}^+^ V{X). Traditionally, BDDs are used to provide compact representations for functions 
{0, 1}^ {O7 1}? but we found it a straightforward exercise to generalise from the boolean algebra 
of the booleans to the boolean algebra of subsets. 



2.3 Experimental results and discussion 

In addition to the results in Figjslwe considered a standard net encoding of the dining philosopher 

problem. Given the nets in Fig.llll let PhRowi {ph ; //c), PhRowk-\-i =^ {ph ; {fk ; PhRowk))- 
Then a table of n dining philosophers can be obtained as: 



PK = ds ; {{is PhRoWn) ; 63) (see Fig. pj. (2) 



Running times, when checking for deadlock in Phm are given in Fig. |12b| The slow growth w.r.t. 
n illustrates the fact that our technique works well when a fixed point is quickly reached when 
traversing a wiring decomposition, for example, the right decomposition of in Fig. [6] reaches a 
fixed point after one ';' node in the wiring decomposition. The fixed point for ([2| is reached when 
calculating PhRows' the resulting minimal DFA has 10 states, as shown in Fig. [TsJ Intuitively, 
this means that while one can distinguish between 1, 2 and >3 philosophers via interaction on the 
boundary, all PhRowk reduce to the same minimal DFA for k > 3. Our procedure takes advantage 
of this: memoisation of compositions means that we minimise only once. 

Many nets are not amenable to efficient decomposition and are unsuitable for our technique. 
For instance, our implementation performs poorly when input nets are cliques, nets where every 
place is connected to every other by a transition, or in general, on "densely connected" nets. One 
reason why our technique is infeasible for such nets is because two factors influence the size of the 
generated NFA from a net N : k ^ I: (i) the number of places — if N has n places, this can translate 
to potentially 2^ NFA-states, and (ii) the size of the net boundaries, since it implies an alphabet 
of size up to 2*^^+^^. In fact, even with hand constructed decompositions, our implementation fails 
to terminate even for very small cliques due to large boundaries in any decomposition. 



+ 
+ 



Z3 : 3 ^ 3 

Fig. 11: Component nets of philosopher decomposition. 
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(a) Time to deconstruct Tn (as per Fig. [9]) and (b) Time to generate minimal DFA for P/in, 
generate the minimal DFA. defined in ([2]). 

Fig. 12: Example NFA construction times for and T^. 
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3 Related work 



Algebras of nets and automata. The algebra of automata with boundaries used in this paper is an 
instance of the algebra of Span(Graph) [To], developed by R.F.C. Walters and collaborators: in 
fact, a translation from nets to this algebra was already present in 9 . The goal of the more recent 
work [1^,2^18 was to lift this algebra to the level of nets in a compositional way, study the resulting 
behavioural equivalences and explore connections with process algebra. A theme of our work is to 
ignore state and focus on external interactions: here we were inspired by the ideas of Milner 13 . 
Conceptually related approaches in semantics of programming languages include ^8||15j. 

Reachability in bounded, finite state Petri nets is a widely-studied problem and there are several 
well-known approaches to mitigating the impact of state-explosion (it follows from 4 that the 
problem is PSPACE-complete.) Due to space constraints we are able to offer only cursory overviews 
and comparisons of techniques that are most related to our approach. A well-known technique is 
partial order reduction: in a seminal paper, McMillan 12 used the unfolding construction [IT in 
order to analyse reachability in Petri nets by generating finite complete prefixes, that is, initial 
parts of unfoldings that suffice for reachability. The algorithm to compute the finite complete 
prefix was later improved [TlpT]. Unfoldings (and finite complete prefixes) carry more information 
about the computations of nets than merely reachability, for instance, allowing LTL model check- 
ing [5] . For an overview of the extensive field see [g] . A finite complete prefix must be constructed 
prior to a reachability analysis, analogously to our construction of a wiring decomposition prior to 
translation. Because of the different nature of the two approaches, it is difficult to offer a thorough 
analysis of the relative performance of the two approaches: on some of the examples we have con- 



sidered the performance of our implementation is competitive (compare Fig. 8a with 7, Table 1].) 
Another technique, known as symmetry reduction 16,19 , exploits symmetries in the state space: 
the goal is, roughly, to build a reduced reachability graph in order to visit only one representative 
from each orbit. Our use of memoisation is similar in spirit to symmetry reduction, since we only 
need to translate any particular wiring decomposition once. 

In experiments {Bn^ Tn, Phn and others) our implementation often performs well in identifying 
unreachable configurations; this is because in many systems the reasons for a configuration being 



unreachable are "local". Here our approach contrasts with techniques such as unfolding or sym- 
metry reduction where (efficient representations of) explicit reachability graphs are constructed. 

4 Conclusions and future work 

We have introduced a new technique for reachability in bounded Petri nets, based on (i) structural 
decomposition using a recently developed compositional algebra and (ii) avoiding state explosion 
by focusing only on interactions between component nets, forgetting internal state. Our technique 
depends on finding efficient decompositions and works best when the computation reaches fixpoints 
w.r.t. interactions on boundaries in composed systems, as illustrated in the examples that we 
have highlighted. We have proved that the technique is correct, implemented it and performed a 
number of experiments. Finally, we have developed and implemented an algorithm for automatic 
decomposition of nets that performs adequately on a number of examples. 

In future work we plan to improve our decomposition algorithm and characterise the class of 
nets to which our approach is suited. Additionally, by using the full algebra |2[[l8] of nets, in 
particular, the possibility of connecting several transitions to the same boundary port, we hope to 
alleviate some of the problems identified in ^ We also plan to generalise our approach to other 
models: for example by examining symbolic representations of the algebras of P/T nets in [l][2] 
we hope to extend our technique to coverability. 
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Appendix 

In order to prove compositionality we first need to prove a small, technical lemma. 

Lemma 10. Suppose that N : k ^ I and M : I ^ m are nets with boundaries and (/7, V) is 
a non-trivial synchronisation. Then there exists a mutually independent family {{Ui,Vi)}i^i of 
minimal synchronisations with U = UiG/ ^ ~ UiG/ 

Proof. We argue by induction on \U -^V\. If {U^V) is minimal then the singleton family {{U^V)} 
satisfies the requirements. Otherwise there exists a minimal synchronisation (U' .,V') C (/7, F). 
Now since there is at most one transition connected to each point on the boundary, we have 
U'* n {U\U'Y = and, similarly, fl {V\V'y = 0. Since U* = *V , we must also have 
{U\U'Y = *{V\V') and thus {U\U' ^V\V') is a synchronisation. By the inductive hypothesis, 
there exists a mutually independent family {{Ui,Vi)}i^i^ and so V')} U {{Ui^Vi)}i^i fulfils 
the requirements. □ 



Proof of Theorem 

Proof. (^) If [N ; M]^yy-^Z^[A/' ; Mj^/^y, then there exists mutually independent set of minimal 
synchronisations W C synCmin{N^ M) with *W = a and a* = (3. Consider U ^= [j(^x,Y)ew ^ — 

T/v and V ^= [j(^x Y)ew^ — Since each (X, Y") G is a synchronisation, we have X* = *Y 
and so U* = *V . By definition, in each (X, y) G X and Y are mutually independent in, 
respectively, N and M. Since W is mutually independent, if {X^Y) ^ {X' ^Y') G we have 
Yy n °(X^ Yy = 0, so (°X° + n + °Y'°) = and thus both °X° fl °X'° = 

and °F° n = 0. It follows that and V are mutually independent in X and M, respectively, 
and letting 7 =^ [/•(= •V) we have [X]^^[X]^, and [M]y:i:^[M]y, as required. 

(^) If and [M]y:rZ^[M]y, for some a G {0, l}^ f3 G {0,1}^, 7 G {0,1}^ 

then there exists mutually independent U C T/v with *U = U* = and mutually inde- 
pendent V C T/vf with = 7, V* = /3. In particular, (/7, is a synchronisation and so, 
using the conclusion of Lemma [Toj there exists a mutually independent family {{Ui,Vi)}i^i of 
minimal synchronisations with [j-Ui = U and Vi = V. This family witnesses the transition 

[N;M]^^y^[N;M]^,^y,. □ 



Proof of Corollary\E^ 

Proof. Simple induction on using the conclusion of Theorem [4j □ 
Lemma 11. Suppose that N : k ^ I and M : I ^ m are nets with boundaries. If there is a trace 

then there exists p G 7^ G {0, 1}^ for I < i < p and traces 

[N]^^[N]^^...^[N]^, 



[M]y2lI^[M]y^...2tI^[M]y,. 

Proof. Induction on the length of the trace, using the conclusion of Theorem |4] □ 
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Fig. 13: Steps involved in translating T3 to an NFA. 



Fig. 14: Decomposition of three dining philosophers. 



Proof of Theorem 

Proof (i) Suppose that [N ; Mj^^y'^J^lN ; M]^,^y, for some a G {0, 1}^ and /3 G {0, 1}^. Then, 
by definition, there exist X'' \S Y" , X'" bl Y'" with 

[TV ; M]^^^(^)*[7V ; M]^.^^.^[7V ; M]^.,^^,. (^)* [TV ; M\^,^y, 

Now we use the conclusions of Lemma [TT] and Theorem [4] to obtain the required traces. 

(ii) If \N\^'^J^\N\^, and \M\y^^\M\y, for some a G {0, l}^ /3 G {0,1}^, 7 G {0, l}^ then 
there exist Pn -tQN -tPM-tQu ^ N, X" ^X'" C P/v, C P^i and traces 

Now, using the fact that each net in any marking can make e transition and remain in the same 
marking (witnessing the firing of the empty set of transitions), we can use Theorem |4] to obtain: 

\^ ; [TV ; M\^„^y{^Y^ 

and thus [TV ; M\^^y'^J^\N ; M]^,^^, as required. □ 
Proof of Theorem 

Proof. We prove this by structural induction on t. The base case, when t is a variable, trivially 
holds. The interesting inductive case \t' . We must show that emin(trans(t)^y ; trans(t')^y 
(t) is isomorphic to emin(NFA(|t ; t'Jy, mrk(t ; t')x^ mrk(t ; Using the definitions of |— ]v 

and mrk(— ): 

emin(NFA(|t ; t']v, mrk(t ; i!)x, mrk(t ; 

= emin(NFA(|t]v ; Mv, mrk(t)x W mrk(tOx, mrk(t)^ y mrk(tO^)) (3) 



The inductive hypothesis gives us that 

trans(t)(^^^) ^ emin(NFA(Mv, mrk(t)x, mrk(t)^)) (4) 

and 

trans(tO(v,^) = 6min(NFA(Mv, mrk(tOx, mrk(tO^)) (5) 
Substituting Q and ([5| in (f), and using ([3|, our task reduces to showing that: 

emin(emin(NFA(|t]v, mrk(t)x, mrk(t)jr)) ; emin(NFA(|t']v, mrk(tOx, mrk(tO^))) 

^ emin(NFA(|t]v ; Mv, mrk(t)x W mrk(tOx, mrk(t)^ y mrk{t')j^)) (6) 

To do this, it is sufficient to show that 

ecl(emin(NFA([tlv, mrk(t)x, mrk(t)^)) ; emin(NFA([tlv, mrk(tOx, mrk(tO^))) (7) 

and 

ecl(NFA([tlv ; Mv, mrk(t)x W mrk(tOx, mrk(t)^ y mrk(tO^)) (8) 

recognise the same language, where ecl(— ) means e-closure. But ([t]) recognises the same language 
as 

ecl(NFA(Mv, mrk(t)x, mrk(t)^) ; NFA(Mv, mrk(tOx, mrk(tO^)) (9) 

and now the translation between paths in ([8| and ([9| follows directly from the conclusion of 
Theorem [3 □ 




Fig. 15: Fixed point reached at minimal DFA for PhRows, error state not drawn. 



